Since the appearance of W32/Sasser.A, three new variants have been discovered: W32/Sasser.B, W32/Sasser.C and W32/Sasser.D.
These variants all behave in a similar way to W32/Sasser.A and are detected by F-Prot Antivirus using virus signature files
dated 3 May 2004 and later.

1 May 2004

W32/Sasser.A started spreading early in the morning of Saturday 1 May 2004 and was quickly detected by
FRISK Software virus analysts. This worm has gained wide distribution in a short period of time and has, as a result,
been classified as high risk by FRISK Software's virus experts.

Threat Description

W32/Sasser.A is a self-executing worm that spreads by taking advantage of a LSASS vulnerability in Windows
that was first reported on 13 April 2004 in
Microsoft Security Bulletin MS04-011. The worm infects systems running Windows XP and Windows 2000.

The worm does not spread via e-mail and needs no user action in order to propogate. Instead,
it spreads directly from one networked computer to another by taking advantage
of the aforementioned vulnerability and instructing unpatched systems to
download and execute the worm's code.
This technique, combined with the fact that many users have yet to
update their systems, has allowed the worm to spread considerably in a relatively short period of time.

Recommended Reactions

Windows users are urged to update their operating systems
immediately with the
latest patches available from Microsoft.

After updating the virus signature files, users should scan their whole system
with the F-Prot Antivirus OnDemand scanner to ensure that their computer security
was not compromised before the virus signature files were updated.